Microsoft Makes Office 2007 More Secure

BARCELONAMicrosoft is releasing the 2007 Office Security Guide, which gives IT administrators guidance for configuring the settings in Microsoft Office 2007 so that it can be deployed and managed more securely.
The guide, which Microsoft says provides prescriptive Group Policy setting and security configuration recommendations to strengthen the security of computers running the 2007 Microsoft Office release on Windows Vista or Windows XP in domain-based environments, can be found here.

It is the result of a years worth of work with customers, partners and government agencies, and follows a public beta release this summer, Josh Edwards, technical product manager for Microsoft Office, told eWEEK in an interview here at the TechEd IT Forum conference.

The guide essentially consists of three parts. The first is an introduction to security, the architecture and how it is implemented, while the second gives an extensive look at the 300 chosen administrative controls and settings, including what they are, how they get configured, and the threats they mitigate. It also provides a large spreadsheet of all these security settings and what is configured on and out of the box, as well as for every other scenario.
Some reviewers have found Office 2007 off-putting. Click here to read more.
The third component is the GPO Accelerator tool, a script that creates Group Policy Objects to deploy security settings for the 2007 Microsoft Office release on Windows Vista and Windows XP in Active Directory environments.
Customers can use the tool to roll out the two baseline configurationsenterprise client and specialized security with limited functionalityas is or use it to customize them.
"Either way they are starting out from a point where most of the work is already done, and they are tweaking things unique to their environment. This is the tool that allows customers to configure all of that," Edwards said.
He said that customers and partners "told us they wanted additional administrator controls, and so we tested and documented the 300 that are most focused on security."
Read more here about the tool Microsoft released to help protect Office 2003 from malware attacks.
This was also in response to the evolution in the security environment away from attacks focused on the operating system to those directed at the application layer, he said, adding that the guide was designed to show administrators all of the security features Microsoft had built into Office 2007, and give users a means of dynamically adjusting those.
The idea is that if, going forward, the threat landscape changes, customers will be able to immediately configure and change those settings to mitigate that particular type of threat, Edwards said.
He said one of the things that had been closely examined was the impact that these settings and configurations could have on productivity.
"The enterprise client scenario was designed to balance security and usability needs, so there certainly could be an impact there. But all of these settings have been extensively tested and documented and we were able to find out, during the course of that testing process, which add-ins were no longer functional under that configuration," he said.
All of that information was provided in the guide, which gives administrators advance notice of the potential problems that could arise with the applications they ran under those configurations, he said, noting that there would be some applications that did not conform to any of the scenarios that had been tested.
"I certainly cant say that it is completely comprehensive and that we have covered every scenario," he said. "But we have ensured that if users do configure their settings and use Office in these ways, they have the ability to control the security around that and take action without having to break productivity if those particular features are important to them."
To read more about why Microsoft Office was under siege, click here.
The specialized-security, limited-functionality scenario was geared towards government intelligence, defense and other high-security environments where customers were optimizing for security and willing to sacrifice a degree of productivity and/or functionality, he said.
While the guidance could be useful "at a high level" to customers who have not yet deployed Office 2007, the problem was that many of the settings that were being used to configure this latest guidance did not exist in previous versions, Edwards said.Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Peter Galli has been a financial/technology reporter for 12 years at leading publications in South Africa, the UK and the US. He has been Investment Editor of South Africa's Business Day Newspaper, the sister publication of the Financial Times of London.

He was also Group Financial Communications Manager for First National Bank, the second largest banking group in South Africa before moving on to become Executive News Editor of Business Report, the largest daily financial newspaper in South Africa, owned by the global Independent Newspapers group.

He was responsible for a national reporting team of 20 based in four bureaus. He also edited and contributed to its weekly technology page, and launched a financial and technology radio service supplying daily news bulletins to the national broadcaster, the South African Broadcasting Corporation, which were then distributed to some 50 radio stations across the country.

He was then transferred to San Francisco as Business Report's U.S. Correspondent to cover Silicon Valley, trade and finance between the US, Europe and emerging markets like South Africa. After serving that role for more than two years, he joined eWeek as a Senior Editor, covering software platforms in August 2000.

He has comprehensively covered Microsoft and its Windows and .Net platforms, as well as the many legal challenges it has faced. He has also focused on Sun Microsystems and its Solaris operating environment, Java and Unix offerings. He covers developments in the open source community, particularly around the Linux kernel and the effects it will have on the enterprise.

He has written extensively about new products for the Linux and Unix platforms, the development of open standards and critically looked at the potential Linux has to offer an alternative operating system and platform to Windows, .Net and Unix-based solutions like Solaris.

His interviews with senior industry executives include Microsoft CEO Steve Ballmer, Linus Torvalds, the original developer of the Linux operating system, Sun CEO Scot McNealy, and Bill Zeitler, a senior vice president at IBM.

For numerous examples of his writing you can search under his name at the eWEEK Website at www.eweek.com.